By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Identifying root-cause for packet drops

0

I have a set of multiple security groups as well as network ACLs. I would like to identify which flow is matching my packets, do troubleshoot connectivity issues. I usually debug such problems by using "ping flood", namely "ping -f [[target_ip]]", which make it easy to track the counters in different points in the network. However, I was unable to find a way to get counters on a per-rule basis.

I end up with trying to delete / add rules one by one to detect what is causing the problem. I find this process to be very ineffective. Is there a way to get the match counters? I'm looking for something that would match iptables -nvL INPUT --line-numbers on a linux box.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliverySecurity
Language
English
Kfir Gollan
asked 8 months ago478 views
3 Answers
0

Hello,

I end up with trying to delete / add rules one by one to detect what is causing the problem.

Referring to the above comment, what is the goal here? Are we trying to check if the packets get dropped because of security groups or network ACLs? If yes, you can use VPC flow logs to identify the rejected packets. [1]

Also any traffic rejected on the OS level will not be captured by the VPC Flow logs.

[1] https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups

[2] Publish flow logs to CloudWatch Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html

[3] Logging IP traffic using VPC Flow Logs - Available fields - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields

profile picture
EXPERT
Narinder Singh Kharbanda
answered 8 months ago
profile picture
EXPERT
Steve_M
reviewed 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
0

You can use AWS Reachability Analyzer tool to determine cause of issue between source and destination due to Security or NACL. It also include additional path components that gives you more information on packet drops. https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

AWS
khanakee
answered 8 months ago
0

Oh man, I feel you on this one. Troubleshooting connectivity issues without per-rule counters is like finding a needle in a haystack. 🌾📌

I've been in a similar spot, and you're right, deleting and adding rules one by one is beyond inefficient; it's like playing a game of whack-a-mole. 🐾🔨

If you're working in an AWS environment, they've got VPC Flow Logs that can give you some data, but it's not as straightforward as 'iptables -nvL INPUT --line-numbers'. Unfortunately, as far as I know, most cloud providers don't give you per-rule match counters like a traditional Linux box. 😭☁️

For now, you might want to consider third-party tools or network monitoring solutions that can give you more granular data, but yeah, it's a gap in the feature set that I wish would get addressed soon. 🧐🔍

[1] https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups-yacine

[2] Publish flow logs to CloudWatch Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html

farru khali
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content